× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. November 2001

Re: Mochasoft security hole

This isn't "Mochasoft", it's the way the OS/400 telnet server works.

The system has an "auto-configuration" capability which allows it to
create new devices, and vary them on.  If a device already exists, but
needs to be reconfigured, the "auto-config" will vary the device off,
change the settings, and then vary it back on.

The side-effect of this method is that if any configuration attributes
are sent by the client (such as terminal type, etc) the device will be
automatically varied on by the system.

If this is a security issue, you'll want to write a "Telnet device
initialization" exit program that will check the device to see if it's
currently varied off.   If it is, you'll want to deny access to the
device.

I posted an example of this type of exit program a while back.  You
can find it here:
http://archive.midrange.com/midrange-l/200103/msg00068.html

You may have to tweak IsActiveDevice subprocedure to work exactly the way
you want it to...

Another thing that you need to consider if you're trying to make the
system secure is that a hacker could defeat the "3 invalid passwords"
issue simply by changing the name of the device he's connecting with.
So, if you make DSP01 get varied off after 3 invalid attempts, all he has
to do is change his device to DSP02.

You can prevent this by:
   1) Only allow connections from IP addresses that you trust.
   2) Make sure that each IP address can only use one particular
        device name, and that it can't be changed.

(This would be done by an exit program, like I referenced above)

You can also add a GREAT DEAL of additional security by only allowing SSL
encrypted clients to connect.   Especially if you tell the telnet server
to require clients to present valid certificates that were signed by your
company's AS/400.   This would make your telnet server virtually
impossible to break into by simply guessing passwords.


On Wed, 14 Nov 2001 glea@dextermag.com wrote:
>
> We are using Mochasoft for some of our access to the AS/400 both
> internally and externally.  We have the system set up so that it will
> vary off the device if the user keys the incorrect password three
> times.  We tried a little test yesterday and found that if the user
> selects "reset terminal" from the "Edit" drop down menu the device
> will be varied back on and a signon screen will reappear!  This
> happens even if the systems administrator has varied off the device
> manually.  Has anyone else had this experience and if so, how did you
> deal with it?
>
> Gary Lea
>
>

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.